Revisiting the CJEU’s ruling on CRA scoring and data retention – key considerations for market participants

RegCORE – Client Alert | German Regulatory Developments

QuickTake

In the context of financial services in Germany, the Schutzgemeinschaft für allgemeine Kreditsicherung (SCHUFA) is one of the leading private credit reference agencies (CRAs) that collects individuals’ credit histories and provides credit scores to lenders, other financial services providers as well as non-financial corporates as real economy users of CRA’s credit information and scoring. SCHUFA uses a proprietary algorithm and probability-based scoring system to calculate its credit “score” based on certain characteristics of that person. The estimation of such scores is based on a set of assumptions and circumstances surrounding the individual in question, who accordingly then gets assigned to a group of persons with comparable characteristics, allowing similar behaviour to be predicted on a going forward basis.Judgment of 7 December 2023, SCHUFA Holding (Scoring), C-634/21, EU:C:2023:957, para 14.Show Footnote

On 7 December 2023, the Court of Justice of the European Union (CJEU) released a judgment (Case C634/21)Available hereShow Footnote (the Automated Processing Decision) on a request for preliminary ruling brought to it concerning so-called “SCHUFA-scoring” and its use in lending procedures and the compatibility with the EU’s Data Protection Regulation (GDPR).Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).Show Footnote Equally on 7 December 2023, the CJEU issued a decision in joined cases C-26/22 and 64-22Available here.Show Footnote concerning the retention of data from public insolvency registers by CRAs once such data had ceased to be available in the public register (the Insolvency Data Decision – collectively with the Automated Processing Decision – the CJEU’s Rulings). The German cases leading to the CJEU’s Rulings all stem from domestic cases that commenced in 2021 and 2022.

Since the publication of the CJEU’s Rulings, SCHUFA announced that it is further developing its creditworthiness calculation methodology, stating that it will be even easier to understand in the future. In May 2024 the company published a statementSCHUFA, SCHUFA arbeitet an neuer Score-Generation, 21.05.2024, available here.Show Footnote concerning their new scoring model, which will be introduced in 2025. This fourth version of the methodology, which is currently being trialled and discussed with partners under the name “SCHUFA Next Generation”, aims to advance efforts on its further transparency campaign launched in 2022. The company emphasised that their new scoring model will continue to provide companies with a reliable basis for decision-making, but still make sure that it is easier for consumers to understand.

CRAs certainly do and will continue to play a crucial role in the EU’s financial ecosystem by providing credit information that helps creditors assess the creditworthiness of individuals and businesses. The greater use of machine learning coupled with predictive/probability analytics and artificial intelligence (collectively AI) for profiling will equally continue to transform how CRAs operate. As discussed in this Client Alert, the CJEU’s Rulings, while focusing on German-relevant developments, may be relevant to CRAs operating well beyond Germany as well as other non-CRA service providers (including beyond financial services) that provide critical decision-making support. 

In summary, while AI (where compliant with the EU’s AI Act) can be used, it must be compliant with the consent obtained from as well as the rights afforded by the GDPR to the data subject. This also includes the right of the data subject to request human intervention, express their opinions and contest choices made about them as well as how to balance how the right to object to legitimate interests-based processing and erasure as well as the right for judicial review. 

Background to key principles

In the EU, the regulation and supervision of CRAs are governed by a combination of EU-wide regulations and national laws. At the EU level the GDPR as the cornerstone of data protection law applies to all organisations, including CRAs, that process personal data. In addition to the GDPR, CRAs are subject to national laws in each EU Member State. For example, in Germany, SCHUFA is regulated under the Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG).

National laws may impose additional requirements on CRAs, such as specific obligations regarding data accuracy, retention periods, and the handling of disputes. Each EU Member State has a designated Data Protection Authority (DPA) responsible for enforcing data protection laws and coordination through the European Data Protection Board (EDPB).The EDPB is an independent European body that ensures consistent application of the GDPR across the EU. It provides guidelines, recommendations, and best practices for data protection. The EDPB can also issue binding decisions in cases of cross-border data processing, which is particularly relevant for CRAs operating in multiple EU countries.Show Footnote Collectively, these authorities have the power to investigate complaints, conduct audits, and impose fines for non-compliance.For instance, in Germany, the Federal Commissioner for Data Protection and Freedom of Information (BfDI) oversees the activities of CRAs like SCHUFA.Show Footnote While CRAs are primarily regulated under data protection and consumer protection laws, they may also be subject to financial supervision if they engage in activities that fall under financial regulation. This includes, for example, providing credit scores that are used in financial decision-making processes.

The CJEU’s Rulings concern the protection of natural persons and the processing of their personal data under the GDPR, the automated establishment of a probability value of credit scores from CRAs concerning the ability of a person to meet payment commitments in the future and the use thereof by third parties. The CJEU, in its role as the chief judicial authority of the EU and thus overseer of the uniform application and interpretation of EU law, is certainly no stranger to assessing financial services and the interplay with GDPR as well as providing clarity and certainty to parties on how EU law is to be interpreted at the EU level as well as at the national level.

Article 22 of the GDPR is pivotal in the context of automated decision-making and profiling. It stipulates that individuals have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them. However, this prohibition is not absolute. Exceptions exist where such decisions are necessary for entering into or performing a contract between the data subject and a data controller, are authorised by EU or Member State law, or are based on the data subject's explicit consent. These exceptions are further conditioned by the requirement to implement suitable measures to safeguard the data subject's rights, freedoms, and legitimate interests, including the right to obtain human intervention, express their point of view, and contest the decision.

Key takeaways from the Automated Processing Decision

The facts leading to the Automated Processing Decision are by and large common for consumers seeking credit – not just for Germany but across the EU. An individual, OQ, was denied credit after SCHUFA had supplied credit information about her. OQ requested access and deletion from SCHUFA, which provided data but not how it calculated the score, citing trade secrets. OQ complained to the Hamburg DPA, the Commissioner for Data Protection and Freedom of Information, which denied her claim. The Administrative Court of Wiesbaden, Germany (the Administrative Court) hearing OQ’s appeal submitted the case to the CJEU for a request for a preliminary ruling on whether the SCHUFA rating system was an automated individual decision under Article 22(1) GDPR. 

The CJEU was asked to consider the following issues: 

1.    Automated decision-making and profiling:

• Whether the automated establishment of a probability value (credit score) by SCHUFA constitutes ‘automated individual decision-making’ under Article 22(1) of the GDPR. 
• Whether such a probability value, when used by third parties to make decisions about contractual relationships, falls within the scope of Article 22(1). 

2.    National legislation compatibility:

Whether national legislation (specifically Paragraph 31 of the BDSG) that permits the use of such probability values is compatible with Articles 6(1) and 22 of the GDPR.

The CJEU’s findings can be summarised as follows: 

A.    Automated individual decision-making:

• The CJEU held that the automated establishment of a probability value by a credit information agency like SCHUFA, based on personal data, constitutes ‘automated individual decision-making’ under Article 22(1) of the GDPR. 
• This is particularly true when a third party, such as a bank, relies heavily on this probability value to make decisions about establishing, implementing, or terminating a contractual relationship with the data subject. 
• The CJEU emphasised that such automated decisions produce legal effects or similarly significantly affect the data subject, fulfilling the three cumulative conditions set out in Article 22(1) which are firstly there is a decision, secondly the decision is based solely automated processing, including profiling and thirdly it producing a legal effect concerning the interested party. Accordingly, the SCHUFA-scores were considered to fall within the scope of Art. 22 of the GDPR. 
• The CJEU concluded that the establishment of probability values was covered under Article 22 (1) of the GDPR and should be regarded as prohibited unless one of the exceptions set out in Article 22 (2) of the GDPR are applicable, such as a) if the decision is necessary for entering into, or performance of, a contract between the data subject and a data controller, b) the decision is authorised by EU or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or c) the decision is based on the data subject’s explicit consent. The additional requirements provided for in Article 22 (3) and (4) of the GDPR also have to be complied with in this context.Judgment of 7 December 2023, SCHUFA Holding (Scoring), C-634/21, EU:C:2023:957, para 61.Show Footnote Article 22(3) and (4) of the GDPR provide that awarding probability values such as the SCHUFA-Scores are permissible only where they are (i) is necessary for entering into, or performance of, a contract between the data subject and a data controller, (ii) is authorised by EU or Member State law to which the controller is subject (which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interest) or (iii) is based on the data subject’s explicit consent. 

B.    National legislation compatibility:

• The CJEU emphasised in its decision that in the present case, the Administrative Court stated that “only” section 31 BDSG could constitute a national legal basis for the purpose of Article 22(2)(b) of the GDPR. To this end, the CJEU underlined that it had serious doubts as to the compatibility of section 31 of the BDSG with EU law and did not forget to clarify that assuming the provision is deemed incompatible with EU law, SCHUFA would act not only without legal basis, but would equally disregard the prohibition laid down in Article 22 (1) of the GDPR.Judgment of 7 December 2023, SCHUFA Holding (Scoring), C-634/21, EU:C:2023:957, para 71.Show Footnote
• Accordingly, the CJEU noted that any national legislation authorising automated decision-making must include suitable measures to safeguard the data subject's rights and freedoms, as required by Article 22(2)(b) of the GDPR. 
• The referring court, i.e. the Administrative Court must verify whether Paragraph 31 of the BDSG meets these requirements and complies with Articles 5 and 6 of the GDPR.

In summary, the CJEU in its Automated Processing Decision has clarified that a CRA engages in automated individual decision-making when it develops credit repayment probability scores through automated processing and lenders heavily depend on them to negotiate, implement, or terminate contracts. This means the CRA, not the lender, must comply with Article 22 of GDPR. Through its decision, the CJEU equally emphasises that those using CRAs may not decide exclusively on the basis of such automated scores whether they effectively conclude contracts with customers. Stating this in another way, firms may continue to use SCHUFA and other CRA scores provided that such scores are not the sole deciding factor for concluding their contract in their creditworthiness assessments and equally that data subjects must be informed about the logic involved in such processes, the significance and the envisaged consequences of such processing for them. Depending on how SCHUFA-Scores were relied on in the past, some firms may have to adjust their practices and or their determination of the creditworthiness procedures, as they otherwise will breach EU laws.

Key takeaways from the Insolvency Data Decision

CRAs must retain insolvency data in accordance with a DPA-approved code of conduct. The GDPR includes a statutory right for a data subject to request erasure or the right to be forgotten. Similar to the above the CJEU received a request for a preliminary ruling from the Administrative Court in proceedings involving UF and AB, the Federal State of Hessen and SCHUFA and whether CRAs could store insolvency register data after such date as it was no longer publicly accessible. The DPA for the Land Hessen had argued that UF and AB did not have right to a full judicial review of the DPA’s decision. Rather it was argued that GDPR grants individuals a more restricted right to confirm if it has handled the complaint, investigated it and confirmed to the complainant – this was rejected by the CJEU. 

The CJEU was asked to address significant interpretative issues concerning various provisions of the GDPR and the Charter of Fundamental Rights of the EU (the Charter) on (i) lawfulness of data processing by CRAs, (ii) the right to erasure/right to be forgotten, (iii) implications for codes of conduct and (iv) judicial review of supervisory authority decisions. Accordingly, the CJEU concluded that with respect to:

1.    Lawfulness of data processing by CRAs: The CJEU examined whether the practice of private CRAs, such as SCHUFA, in retaining data from public (insolvency) registers beyond the period stipulated for such public registers is lawful under GDPR and specifically it:

•  Against Article 5(1)(a) and point (f) of the first subparagraph of Article 6(1) of the GDPR. The CJEU concluded that such retention practices are precluded if they extend beyond the period during which the data are kept in public registers; and
• The CJEU’s decision underscores that data processing must be necessary for legitimate interests and must not override the fundamental rights and freedoms of data subjects. 

2.    The right to erasure/right to be forgotten: The CJEU expressed, in respect of such rights under Article 17(1)(c) and (d) GDPR, that: 

• data subjects have the right to obtain erasure of their personal data without undue delay if the data subjects object to processing and there are no overriding legitimate grounds for such processing; and 
• If personal data have been unlawfully processed, data controllers are obligated to erase such data as soon as possible. This reinforces the GDPR's commitment to protecting individuals' rights to privacy and data protection.

3.    Implications for code of conduct: The CJEU noted that:

• While codes of conduct approved under Article 40 of the GDPR can contribute to the regulation’s proper application, they cannot alter the fundamental conditions for lawful data processing as stipulated in Article 6(1) GDPR; and 
• Any code of conduct that provides for retention periods exceeding those set for public registers cannot justify extended data retention by private agencies including by CRAs.

4.    Judicial review of supervisory authority decisions: The CJEU clarified that:

• Article 78(1) of the GDPR mandates full judicial review of decisions made by supervisory authorities on complaints. This means that courts must have the jurisdiction to examine all questions of fact and law relevant to the dispute, ensuring effective judicial protection as required by Article 47 of the Charter; and
• The CJEU fully rejected the notion that judicial review should be limited to verifying whether the supervisory authority handled the complaint appropriately and informed the complainant of the outcome. Instead, it emphasised that such decisions must be subject to comprehensive judicial scrutiny to uphold the rights and interests of data subjects effectively. The CJEU concluded that data subjects have the right to a full judicial review of a decision by a DPA. 

Impacts of the CJEU’s Ruling on loan origination and credit servicing

Credit scoring plays an important role in creditworthiness assessments and thus needs to also be read in the context of the EU’s rules on loan origination, monitoring and the EU’s Credit Servicing Directive (CSD). The European Banking Authority (EBA) developed Guidelines on loan origination and monitoring (the Guidelines)Available here.Show Footnote which emphasise responsible lending practices, including thorough creditworthiness assessments and robust data governance frameworks. The CSD aims to facilitate the development of a secondary market for non-performing loans (NPLs) while ensuring borrower protection.

The CJEU’s Rulings reinforce (perhaps ever more clearly than before) and support the objectives in (i) the Guidelines by ensuring that CRAs and lenders as well as (ii) credit servicers and credit purchasers in the context of the CSD adhere to stringent data protection standards. This means in particular affected financial markets participants should note the following:

a.    Data minimisation and retention: The CJEU’s Rulings reiterate and clarify that personal data should not be retained longer than necessary, aligning with the Guidelines’ and CSD’s emphasis on minimising data retention periods to what is strictly required for creditworthiness assessments. 

b.    Transparency and fairness: The requirement for full judicial review of supervisory authority decisions ensures transparency and fairness in handling complaints related to data processing. This aligns with the Guidelines and CSDs on ensuring transparent communication with borrowers about their credit assessments.

c.    Automated decision-making: The CJEU’s Rulings on automated decision-making underscores the need for human intervention in significant decisions affecting individuals, which is consistent with the Guidelines and supervisory commentary overall in advocating for human oversight in automated credit decision processes. 

d.    Legal basis for data processing: The CJEU’s Rulings stress the necessity of having a clear legal basis for processing personal data, which complements the Guidelines and CSD on ensuring that all data processing activities in the credit lifecycle are lawful and justified.

As highlighted above, SCHUFA Next Generation, which is set to be introduced in 2025 (and which will have a transition period to facilitate adoption) aims to enhance transparency and comprehensibility in credit scoring. It aims to achieve this by consolidating up to 50 existing score variants into a single central score. This new score will focus on 10 to 15 relevant variables, maintaining factors like instalment loans and payment defaults. Crucially SCHUFA states that it will not employ AI or machine learning in the new model. Users of SCHUFA scoring will still be free to apply AI and/or machine learning in their processes, provided the outcomes of the CJEU’s Rulings and other respective laws are complied with. SCHUFA will however continue to rely on its own data without integrating third-party data.

Financial services firms must reassess their creditworthiness assessment procedures to ensure compliance with the CJEU’s Rulings. This involves ensuring no over-reliance on automated credit scores for making lending decisions but incorporating human oversight into the decision-making process. Firms should also review their data retention policies to ensure that personal data is not retained longer than necessary and is processed in accordance with GDPR principles. Additionally, firms must ensure they evidence how they review and where warranted strengthen robust data governance frameworks that include clear policies on data accuracy, transparency and the handling of disputes.

Outlook

The CJEU’s Rulings mark a potential turning point for CRAs and financial services firms across the EU. These decisions underscore the necessity for compliance with the GDPR and highlight the importance of transparency, data minimisation and human oversight in automated decision-making processes. Certain market participants may need to reassess and potentially recalibrate their creditworthiness assessment procedures to align with these new clarifications to existing legal standards.

Certain firms may need to prioritise the integration of robust data governance frameworks that ensure compliance with GDPR principles. This includes revisiting data retention policies to guarantee that personal data is not held longer than necessary and is processed lawfully. Firms should also implement comprehensive transparency measures, ensuring that consumers are fully informed about how their data is used in credit scoring processes. The clear expectation on the importance of human intervention in automated decision-making processes necessitates the reinforcement of protocols that allow for human review and oversight, thereby safeguarding the rights and freedoms of data subjects.

The revisions to CRA’s scoring models may also present an opportunity for financial institutions to adapt their technological infrastructures to meet the CJEU’s Rulings to compliance requirements including on a look-through basis from CRA to user and credit decision-taker and vice versa. In light of these developments, some financial services firms may want to engage in strategic planning to navigate the evolving regulatory landscape. This involves conducting thorough risk assessments to identify potential compliance gaps and implementing corrective measures where necessary. The CJEU’s emphasis on consumer rights and data protection may necessitate a shift for certain firms towards more consumer-centric approaches in creditworthiness assessments and clearly communicating to consumers how credit scores are calculated and used along with the length of data retention periods.

About us

PwC Legal is assisting a number of financial services firms and market participants in forward planning for changes stemming from relevant related developments. We have assembled a multi-disciplinary and multijurisdictional team of sector experts to support clients navigate challenges and seize opportunities as well as to proactively engage with their market stakeholders and regulators.

In order to assist firms in staying ahead of their compliance obligations we have developed a number of RegTech and SupTech tools for supervised firms. This includes PwC Legal’s Rule Scanner tool, backed by a trusted set of managed solutions from PwC Legal Business Solutions, allowing for horizon scanning and risk mapping of all legislative and regulatory developments as well as sanctions and fines from more than 1,500 legislative and regulatory policymakers and other industry voices in over 170 jurisdictions impacting financial services firms and their business.

Equally, in leveraging our Rule Scanner technology, we offer a further solution for clients to digitise financial services firms’ relevant internal policies and procedures, create a comprehensive documentation inventory with an established documentation hierarchy and embedded glossary that has version control over a defined backward plus forward looking timeline to be able to ensure changes in one policy are carried through over to other policy and procedure documents, critical path dependencies are mapped and legislative and regulatory developments are flagged where these may require actions to be taken in such policies and procedures.

The PwC Legal Team behind Rule Scanner are proud recipients of ALM Law.com’s coveted “2024 Disruptive Technology of the Year Award”. 

If you would like to discuss any of the developments mentioned above, or how they may affect your business more generally, please contact any of our key contacts or PwC Legal’s RegCORE Team via de_regcore@pwc.com or our website.